FYI–-UDP Flood XAMPP Exploit

  • Just thought I'd pass this on in case anyone could use it…

    I'm running PFsense 2.2.1 latest, and greatest ofcourse...

    Our company moved location and we've just brought the network back online connecting the various locations using Ubiquiti equipment.
    I've downloaded and installed Squid 3, taking into account the 4 locations now using PFsense at the center of them all, being the 'gateway'

    So, after installing and configuring squid 3, I noticed the CPU usage was at 17%. I thought this was a result of squid and general usage.
    However, tonight I just happened to check our CAS servers, and noticed one of them sending over 800mbits/s of traffic. Well, we don't have that kind of link. Our internet link is a mere 7Mbits, so..what the??

    Turns out, XAMPP WEBDEV server was hacked and exploited with malicious PHP files uploaded. Apache server logs erased.

    httpd.exe was disabled, and UDP flood terminated. PFsense CPU usage went down to between 0% and 5%.

    Just goes to show what happens when you assume and take things for granted. Details attached...

    ![CAS Bandwidth.jpg](/public/imported_attachments/1/CAS Bandwidth.jpg)
    ![CAS Bandwidth.jpg_thumb](/public/imported_attachments/1/CAS Bandwidth.jpg_thumb)

Log in to reply